[CLUE-Tech] signing CA private key with another CA?

Jim Ockers ockers at ockers.net
Thu Aug 28 09:56:34 MDT 2003 

Hi Jeffrey,

Thanks for the reply.

Jeffrey Brown wrote:
> 
> I don't think it can be done ...

I agree.

> openssl req -new -key /root/ssl/private.key -out /root/ssl/private.key
> 
> results in a CSR (certificate signing request). I believe this allows
> one to have their key signed by another to create a chained authority on
> the certificate. I don't think one can sign a private key without a CSR
> however, I'm definitely not an expert in this area. The following script
> is what I use to generate a CA & public key cert.
> 
> 1) openssl genrsa -out /root/ssl/ca.key 1024
> 2) openssl req -new -key /root/ssl/ca.key -out /root/ssl/ca.csr
> 3) openssl x509 -req -days 730 -in /root/ssl/ca.csr -signkey
> /root/ssl/ca.key -out /root/ssl/ca.crt
> 
> 1) Generates a private key w/ 1024 bit modulus
> 2) Requests a CSR from the private key
> 3) Requests a X.509 certificate valid for 730 day from the CSR and
> signed by the private key.

The x.509 "certificate" that was signed by the CA private key is the
public key ("certificate request") associated with some other private
key which is normally found on a web server or some such SSL device.

I can't seem to find a way to turn a private key into a "certificate
request" and I suspect that even if I changed the "BEGIN RSA PRIVATE
KEY" to "BEGIN CERTIFICATE REQUEST" or something like that, and then
managed to get it signed, openssl/ssleay would barf when I tried to 
use the signed key as a private key to sign other public keys.

Too bad I can't just use PGP for this.  Or can I?  I don't know how
(or even if PGP supports x509 stuff) but if anyone does know please 
advise.

I gave up on making the sub-CA and just copied the whole CA, keys 
and all, to the new openssl system.  It seems to work OK.

Thanks,
Jim

> 
> If you find a way ... let us know.
> 
> >>> ockers at ockers.net 8/27/2003 11:39:50 AM >>>
> Hi all,
> 
> I need some help.  We are using the openssl and ssleay x509
> facility to operate a small internal certificate authority 
> (CA), for issuing SSL certificates to web sites and software 
> code signing.  We find this to be pretty handy since we can
> generally load our certificate authority's public key into
> browsers and software that we control.
> 
> And we don't have to pay Verisign anything for this, which
> is good.
> 
> I need to migrate an old ssleay based CA to openssl on a new
> system.  For various boring technical reasons I don't want
> to just copy the private key of the old CA to the new system -
> I want to make a new CA but which inherits the privileges of
> the old CA, but which starts out with new serial numbers and
> a new CRL etc.
> 
> I remember from my days of using PGP that I could sign someone
> else's PGP private key with my private key, then anything they
> send me signed with their private key would be verified by my
> PGP software since I'd signed their private key previously.
> 
> I want to do this with our certificate authority: I want to
> sign the new CA's private key with the old CA's private key,
> so that certificates issued (keys signed) by the new CA will
> be verified by the old CA's public key, and the web browsers
> won't display a warning etc. etc. etc. because they have the
> old CA's public key already loaded.
> 
> I think it is technically possible to do this because I 
> can get an unlimited certificate from Verisign (for the
> "right" amount of money), in which they would sign my CA
> private key with their CA private key and then I could go
> on and issue certificates that would be properly validated
> through the chain.
> 
> Does anyone know how to sign a CA private key using openssl
> or ssleay?  Neither of these appears to have any signing
> functionality other than signing "certificate requests" (public
> keys from web servers etc) or signing random data.  I 
> specifically can't find anything in there about signing a
> private key.
> 
> My private key looks like this:
> 
> -----BEGIN RSA PRIVATE KEY-----
> WhAtEvEr
> -----END RSA PRIVATE KEY-----
> 
> All I get is error messages from ssleay & openssl when I try
> to sign that.  Since it's not plain data I don't want to just
> use rsautl -sign to sign it.  Plus ssleay doesn't have a
> rsautl function anyway.  If it makes any difference we are
> migrating away from "SSLeay 0.6.6 14-Jan-1997" .  The "rsa"
> function doesn't have a "sign" option of course.
> 
> Any ideas?  I'd sure appreciate it.
> 
> Thanks,
> Jim
> 
> -- 
> Jim Ockers, P.Eng. (ockers at ockers.net)
> Contact info: please see http://www.ockers.net/ 

-- 
Jim Ockers, P.Eng. (ockers at ockers.net)
Contact info: please see http://www.ockers.net/

More information about the clue-tech mailing list